Auditd for the Masses Philipp Krenn ����� @xeraa
Learn about a breach From the press or users
Learn about a breach Attackers asking for a ransom
Learn about a breach Cloud provider's bill
Learn about a breach Yourself after the fact
Learn about a breach Yourself but unsure about harm
Learn about a breach Yourself & you can prove no harm
No silver bullet
Questions: https://sli.do/xeraa Answers: https://twitter.com/xeraa
uditd https://github.com/linux-audit
"auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities."
Watching file access Monitoring system calls Recording commands run by a user Recording security events Monitoring network access
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
Demo
More Rules https://github.com/linux-audit/audit- userspace/tree/master/rules
Namespaces WIP https://github.com/linux-audit/audit- kernel/issues/ 32#issuecomment-395052938
Problem How to centralize?
Infrastructure | Developer
Disclaimer I build highly monitored Hello World apps
Filebeat Module: Auditd
Demo
Auditbeat
Auditd Module Correlate related events Resolve UIDs to user names Native Elasticsearch integration
Auditd Module eBPF powers on older kernels Run side by side with Auditd Easier configuration
Docker metadata enrichment
Demo
File Integrity Module inotify (Linux) fsevents (macOS) ReadDirectoryChangesW (Windows)
hash_types blake2b_256 , blake2b_384 , blake2b_512 , md5 , sha1 , sha224 , sha256 , sha384 , sha512 , sha512_224 , sha512_256 , sha3_224 , sha3_256 , sha3_384 , sha3_512 , xxh64
Demo
See moar Kibana visualizations & dashboards
Demo
PS: Machine Learning
Conclusion
Auditd Auditbeat Logs, Dashboards,...
!
!"
https://cloud.elastic.co
Next Steps https://dashboard.xeraa.wtf SSH: elastic-user@xeraa.wtf secret
Questions? Philipp Krenn ����� @xeraa PS: Sticker
Recommend
More recommend
